VYPR

Vendor CVEs

PhpBB

All CVEs

356 total · sorted by risk
  • CVE-2006-3954Aug 1, 2006
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in usercp.php in MyBB (aka MyBulletinBoard) 1.x allows remote attackers to read arbitrary files via a .. (dot dot) in the gallery parameter in a (1) avatar or (2) do_avatar action.

  • CVE-2006-3758Jul 21, 2006
    risk 0.00cvss epss 0.01

    inc/init.php in Archive Mode (Light) in MyBB (aka MyBulletinBoard) 1.1.4 calls the extract function with EXTR_OVERWRITE on HTTP POST and GET variables, which allows remote attackers to overwrite arbitrary variables, as demonstrated via an SQL injection using the…

  • CVE-2006-3760Jul 21, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1.1.4 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2006-3761Jul 21, 2006
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.0 RC2 through 1.1.4 allows remote attackers to inject arbitrary web script or HTML via a javascript URI with an SGML numeric character reference in the url BBCode tag, as…

  • CVE-2006-3759Jul 21, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in MyBB (aka MyBulletinBoard) 1.1.4, related has unspecified impact and attack vectors related to "user group manipulation."

  • CVE-2006-3420Jul 7, 2006
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in editpost.php in MyBulletinBoard (MyBB) before 1.1.5 allows remote attackers to perform unauthorized actions as a logged in user and delete arbitrary forum posts via a bbcode IMG tag with a modified delete parameter in a…

  • CVE-2006-3243Jun 27, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in usercp.php in MyBB (MyBulletinBoard) 1.0 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the showcodebuttons parameter.

  • CVE-2006-2949Jun 12, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in private.php in MyBB 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the do parameter.

  • CVE-2006-2589May 25, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in rss.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. NOTE: it is not clear from the original report how this attack can succeed, since the demonstration URL uses a variable…

  • CVE-2006-2333May 12, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1.1.1 allow remote attackers to execute arbitrary SQL commands via the e-mail address when registering for a forum that requires e-mail verification, which is not properly handled in (1) usercp.php and (2)…

  • CVE-2006-2150May 3, 2006
    risk 0.00cvss epss 0.02

    PHP remote file inclusion vulnerability in top/list.php in phpBB TopList 1.3.8 and earlier allows remote attackers to include arbitrary files via the returnpath parameter.

  • CVE-2006-2134May 2, 2006
    risk 0.00cvss epss 0.10

    PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.

  • CVE-2006-2103Apr 29, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the (1) query string ($querystring variable) in (a) admin/adminlogs.php, which is not properly handled by adminfunctions.php; or (2)…

  • CVE-2006-1911Apr 20, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB (MyBulletinBoard) 1.1 allows remote attackers to inject arbitrary web script or HTML via the attachment content disposition in an HTML attachment.

  • CVE-2006-1895Apr 20, 2006
    risk 0.00cvss epss 0.01

    Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in…

  • CVE-2006-1896Apr 20, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the…

  • CVE-2006-1775Apr 13, 2006
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c)…

  • CVE-2006-1716Apr 11, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode img tag. NOTE: the email vector is already covered by CVE-2006-1625, although…

  • CVE-2006-1717Apr 11, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in newthread.php in MyBB (aka MyBulletinBoard) 1.10, when configured to permit new threads by unregistered users, allows remote attackers to inject arbitrary web script or HTML via the username.

  • CVE-2006-1625Apr 5, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode email tag, as demonstrated using the onmousemove event.

  • CVE-2006-1603Apr 4, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2006-1345Mar 22, 2006
    risk 0.00cvss epss 0.01

    polls.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to obtain sensitive information via a vote action with an "option[]=null" parameter value, which reveals the path in an error message.

  • CVE-2006-1281Mar 19, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in member.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vulnerability than CVE-2006-1272. NOTE: 1.10 was later reported to be vulnerable.

  • CVE-2006-1282Mar 19, 2006
    risk 0.00cvss epss 0.01

    CRLF injection vulnerability in inc/function.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to conduct cross-site scripting (XSS), poison caches, or hijack pages via CRLF (%0A%0D) sequences in the Referrer HTTP header field, possibly when redirecting to other web…

  • CVE-2006-1272Mar 19, 2006
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in member.php in MyBulletin Board (MyBB) 1.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) aim, (2) yahoo, (3) msn, or (4) website field.

  • CVE-2006-1065Mar 7, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in search.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to execute arbitrary SQL commands via the forums[] parameter.

  • CVE-2006-0770Feb 18, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in calendar.php in MyBulletinBoard (MyBB) 1.0.4 allows remote attackers to inject arbitrary web script or HTML via a URL that is not sanitized before being returned as a link in "advanced details". NOTE: the provenance of this…

  • CVE-2006-0639Feb 10, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in search.php in MyBB (aka MyBulletinBoard) 1.0.2 allows remote attackers with knowledge of the table prefix to inject arbitrary web script or HTML via a URL encoded value of the keywords parameter, as demonstrated by %3Cscript%3E.

  • CVE-2006-0632Feb 10, 2006
    risk 0.00cvss epss 0.03

    The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords…

  • CVE-2006-0638Feb 10, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in moderation.php in MyBB (aka MyBulletinBoard) 1.0.3 allows remote authenticated users, with certain privileges for moderating and merging posts, to execute arbitrary SQL commands via the posts parameter.

  • CVE-2006-0437Feb 6, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">"…

  • CVE-2006-0438Feb 6, 2006
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1)…

  • CVE-2006-0523Feb 2, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in global.php in MyBB before 1.03 allows remote attackers to execute arbitrary SQL commands via the templatelist variable.

  • CVE-2006-0495Feb 1, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Add Thread to Favorites feature in usercp2.php in MyBB (aka MyBulletinBoard) 1.02 allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer header ($url variable).

  • CVE-2006-0494Feb 1, 2006
    risk 0.00cvss epss 0.00

    Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.02 allows local users with MyBB administrative privileges to include and possibly execute arbitrary local files via directory traversal sequences and a nul (%00) character in the plugin parameter.

  • CVE-2006-0450Jan 27, 2006
    risk 0.00cvss epss 0.05

    phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.

  • CVE-2006-0406Jan 25, 2006
    risk 0.00cvss epss 0.02

    search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive information via a certain search request that reveals the table prefix in a SQL error message, possibly due to invalid parameters.

  • CVE-2006-0364Jan 22, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via a signature containing a JavaScript URI in the SRC attribute of an IMG element, in which the URI uses SGML numeric character references without…

  • CVE-2006-0219Jan 16, 2006
    risk 0.00cvss epss 0.01

    The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by…

  • CVE-2006-0218Jan 16, 2006
    risk 0.00cvss epss 0.01

    Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and…

  • CVE-2006-0063Jan 5, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of…

  • CVE-2005-4603Dec 31, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in printthread.php in MyBB 1.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a thread message, which is not properly sanitized in the print view of the thread.

  • CVE-2005-4602Dec 31, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in inc/function_upload.php in MyBB before 1.0.1 allows remote attackers to execute arbitrary SQL commands via the file extension of an uploaded file attachment.

  • CVE-2005-3536Dec 22, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.

  • CVE-2005-3537Dec 22, 2005
    risk 0.00cvss epss 0.01

    A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs.

  • CVE-2005-4357Dec 20, 2005
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover.

  • CVE-2005-4358Dec 20, 2005
    risk 0.00cvss epss 0.02

    admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the path in an error message.

  • CVE-2005-4346Dec 19, 2005
    risk 0.00cvss epss 0.01

    Invalid SQL syntax error in blog.php in phpBB Blog 2.2.2 and earlier allows remote attackers to obtain the full path of the application via an invalid permalink parameter to index.php, which produces an invalid SQL query that leaks the full pathname in a SQL syntax error…

  • CVE-2005-4200Dec 13, 2005
    risk 0.00cvss epss 0.02

    Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0 have unknown impact and attack vectors, a different set of vulnerabilities than those identified by CVE-2005-4199.

  • CVE-2005-4084Dec 8, 2005
    risk 0.00cvss epss 0.01

    xs_edit.php in the phpBB eXtreme Styles module 2.2.1 and earlier allows remote attackers to obtain the installation path of the application via an invalid viewbackup parameter.

Page 6 of 8